* It also has some session register functions that work across various
* php versions.
*
- * @copyright © 1999-2005 The SquirrelMail Project Team
+ * @copyright © 1999-2006 The SquirrelMail Project Team
* @license http://opensource.org/licenses/gpl-license.php GNU Public License
* @version $Id$
* @package squirrelmail
}
/**
- * Search for the var $name in $_SESSION, $_POST, $_GET,
- * $_COOKIE, or $_SERVER and set it in provided var.
+ * Search for the var $name in $_SESSION, $_POST, $_GET, $_COOKIE, or $_SERVER
+ * and set it in provided var.
*
- * If $search is not provided, or == SQ_INORDER, it will search
- * $_SESSION, then $_POST, then $_GET. Otherwise,
- * use one of the defined constants to look for
- * a var in one place specifically.
+ * If $search is not provided, or if it is SQ_INORDER, it will search $_SESSION,
+ * then $_POST, then $_GET. If $search is SQ_FORM it will search $_POST and
+ * $_GET. Otherwise, use one of the defined constants to look for a var in one
+ * place specifically.
*
- * Note: $search is an int value equal to one of the
- * constants defined above.
+ * Note: $search is an int value equal to one of the constants defined above.
*
- * example:
- * sqgetGlobalVar('username',$username,SQ_SESSION);
- * -- no quotes around last param!
+ * Example:
+ * sqgetGlobalVar('username',$username,SQ_SESSION);
+ * // No quotes around last param, it's a constant - not a string!
*
* @param string name the name of the var to search
* @param mixed value the variable to return
function sqsetcookie($sName,$sValue,$iExpire=false,$sPath="",$sDomain="",$bSecure=false,$bHttpOnly=true) {
$sHeader = "Set-Cookie: $sName=$sValue";
if ($sPath) {
- $sHeader .= "; Path=\"$sPath\"";
+ $sHeader .= "; path=$sPath";
}
- if ($iExpire !==false) {
+ if ($iExpire !== false) {
$sHeader .= "; Max-Age=$iExpire";
- }
- if ($sPath) {
- $sHeader .= "; Path=$sPath";
+ // php uses Expire header, also add the expire header
+ $sHeader .= "; expires=". gmdate('D, d-M-Y H:i:s T',$iExpire);
}
if ($sDomain) {
$sHeader .= "; Domain=$sDomain";
if ($bHttpOnly) {
$sHeader .= "; HttpOnly";
}
- $sHeader .= "; Version=1";
+ // $sHeader .= "; Version=1";
header($sHeader);
}
/* if running with magic_quotes_gpc then strip the slashes
from POST and GET global arrays */
-
if (get_magic_quotes_gpc()) {
sqstripslashes($_GET);
sqstripslashes($_POST);
}
+/**
+ * If register_globals are on, unregister globals.
+ * Code requires PHP 4.1.0 or newer.
+ */
+if ((bool) @ini_get('register_globals')) {
+ /**
+ * Remove all globals from $_GET, $_POST, and $_COOKIE.
+ */
+ foreach ($_REQUEST as $key => $value) {
+ unset($GLOBALS[$key]);
+ }
+ /**
+ * Remove globalized $_FILES variables
+ * Before 4.3.0 $_FILES are included in $_REQUEST.
+ * Unglobalize them in separate call in order to remove dependency
+ * on PHP version.
+ */
+ foreach ($_FILES as $key => $value) {
+ unset($GLOBALS[$key]);
+ // there are three undocumented $_FILES globals.
+ unset($GLOBALS[$key.'_type']);
+ unset($GLOBALS[$key.'_name']);
+ unset($GLOBALS[$key.'_size']);
+ }
+ /**
+ * Remove globalized environment variables.
+ */
+ foreach ($_ENV as $key => $value) {
+ unset($GLOBALS[$key]);
+ }
+ /**
+ * Remove globalized server variables.
+ */
+ foreach ($_SERVER as $key => $value) {
+ unset($GLOBALS[$key]);
+ }
+}
+
/* strip any tags added to the url from PHP_SELF.
This fixes hand crafted url XXS expoits for any
page that uses PHP_SELF as the FORM action */
sqsession_is_active();
-// vim: et ts=4
-?>
\ No newline at end of file
+/**
+ * Remove globalized session data in rg=on setups
+ */
+if ((bool) @ini_get('register_globals')) {
+ foreach ($_SESSION as $key => $value) {
+ unset($GLOBALS[$key]);
+ }
+}
+
+?>